Getting Ready for GDPR

A metadata-driven approach is important for ensuring compliance with the EU's new data privacy law.

One of the biggest challenges IT professionals responsible for corporate data will face in 2017 comes from a law passed by the European Union due to take effect in 2018, the General Data Protection Regulation (GDPR).

The GDPR is intended to better protect the personal information of European citizens, and it comes with stiff penalties for companies that don’t comply. It is also far-reaching in nature, as it applies not to just EU member countries, but also organizations outside the EU that collect personal data on EU citizens. That means a U.S.-based company that sells goods or services to an EU citizen, and during this process collects their personal data, will be subject to GDPR requirements for data privacy and protection.

While the GDPR spells out in no uncertain terms the level of protection companies must provide for personal data, it says little about which technologies organizations can use to deliver those protections. One approach companies would do well to consider is an enterprise content management (ECM) system that leverages metadata to enforce strict controls and security measures to protect personal customer information.

GDPR Explained

GDPR essentially replaces the EU’s Data Protection Directive, which was adopted in 1995. Scheduled to take effect in May 2018, the GDPR is intended to provide EU citizens with a number of benefits, including easier access to their personal information housed by any company that collects it, as well as details about how the company uses their data. It also gives citizens a right to data portability, such as when they switch service providers, and the right to have their data deleted. In addition, it gives citizens the right to know when their data has been compromised, through a provision that requires companies to alert authorities within 72 hours of any data breach involving personal data.

For businesses that must comply with GDPR, the updated regulation promises to simplify existing rules and guidelines. Rather than trying to adhere to a patchwork of data privacy rules country by country, the GDPR will be a single law that applies to companies operating within any EU county. The European Commission estimates this will save companies around 2.3 billion euros a year by doing away with “the current fragmentation and costly administrative burdens.”

Perhaps the biggest change that GDPR brings is in terms of jurisdiction. Previously there was some ambiguity about the extent to which the EU’s Data Protection Directive applied to companies based outside of the EU. The GDPR clears that up, saying “it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.” The law makes it incumbent upon any company that collects personally identifiable information (PII) on EU citizens to meet GDPR requirements.

GDPR Requirements and Penalties for Non-Compliance

As spelled out in the summary of articles on the GDPR website, requirements include adhering to the theme of “privacy by design,” which calls for the inclusion of data protection from the onset of system design. The regulation calls for “appropriate” technical and organizational measures to meet this requirement. It includes the concept of “data minimization,” meaning holding only data that’s absolutely necessary to the purpose at hand and limiting access to PII to those “needing to act out the processing.”

The GDPR also requires companies to perform data protection impact assessments (DPIAs) to identify any risks of noncompliance, so the company can take steps to address them.

Public authorities and companies that process PII for 5,000 or more individuals in any 12-month period must also appoint a data protection officer (DPO). This individual must have expert knowledge of data protection laws and practices and be responsible for ensuring the company is in compliance.